virtumonde infection?

#1 bnoyce


Posted 17 April 2009 - 10:38 PM

Im getting random popups, and when my computer boots it gets an error loading pawovuda.dll or somtehing similar. problems with my hotmail account.

DDS (Ver_09-03-16.01) - NTFSx86
Run by Jack at 23:19:45.45 on Fri 04/17/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1436 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\AIM6\aim6.exe
G:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
G:\Program Files\Mozilla Firefox\firefox.exe
g:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Jack\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: c:\windows\system32\jh9fgo4ksdgf.dll: {d7bf4552-94f1-42bd-f434-3604812c856d} - c:\windows\system32\jh9fgo4ksdgf.dll
TB: ZoneAlarm Spy Blocker Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [H/PC Connection Agent] "g:\program files\microsoft activesync\Wcescomm.exe"
uRun: [system tool] c:\windows\sysguard.exe
uRun: [prunnet] "c:\windows\system32\prunnet.exe"
uRun: [Diagnostic Manager] c:\docume~1\jack\locals~1\temp\2431972628.exe
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [AVG8_TRAY] g:\progra~1\avg\avg8\avgtray.exe
mRun: [Launch LgDevAgt] "c:\program files\logitech\gamepanel software\LgDevAgt.exe"
mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [ZoneAlarm Client] "g:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [341835fb] rundll32.exe "c:\windows\system32\weyokupi.dll",b
mRun: [CPM372b0667] Rundll32.exe "c:\windows\system32\lunegogu.dll",a
mRun: [prunnet] "c:\windows\system32\prunnet.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [<NO NAME>] c:\windows\temp\o1ee3tjn.exe
dRun: [Windows Resurections] c:\windows\temp\o1ee3tjn.exe
dRun: [Diagnostic Manager] c:\windows\temp\2054098256.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - g:\progra~1\micros~2\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - g:\progra~1\micros~2\INetRepl.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - g:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\windows\system32\sisanaki.dll c:\windows\system32\lunegogu.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\lunegogu.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\lunegogu.dll
STS: c:\windows\system32\jh9fgo4ksdgf.dll: {d7bf4552-94f1-42bd-f434-3604812c856d} - c:\windows\system32\jh9fgo4ksdgf.dll
LSA: Notification Packages = scecli c:\windows\system32\sisanaki.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jack\applic~1\mozilla\firefox\profiles\l2m8p62y.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: g:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: g:\program files\mozilla firefox\plugins\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 bnqcpawy;bnqcpawy;c:\windows\system32\drivers\bnqcpawy.sys [2001-8-23 23424]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-26 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-26 27656]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-2-26 353672]
R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-3-25 464264]
R2 avg8wd;AVG Free8 WatchDog;g:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-26 298264]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-3-10 24652]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]

=============== Created Last 30 ================

2009-04-16 23:18 46 a------- c:\windows\system32\p2hhr.bat
2009-04-16 23:17 15,000 a------- c:\windows\system32\jh9fgo4ksdgf.dll
2009-04-16 23:17 23,040 a------- c:\windows\system32\ak1.exe
2009-04-16 01:54 <DIR> --d----- c:\docume~1\jack\applic~1\pidle
2009-04-16 01:45 1,408,758 ---sh--- c:\windows\system32\ipukoyew.ini
2009-04-13 14:17 48,456 a------- c:\windows\system32\UninstallElectricSheep.exe
2009-04-13 14:17 <DIR> --d----- c:\windows\system32\electricsheep-cache
2009-03-25 20:27 <DIR> --d----- c:\program files\AskBarDis

==================== Find3M ====================

2009-04-16 01:44 87,552 a--sh--- c:\windows\system32\lunegogu.dll
2009-04-16 01:44 79,872 a--sh--- c:\windows\system32\weyokupi.dll
2009-04-15 23:42 137,992 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-04-15 23:42 201,816 a------- c:\windows\system32\PnkBstrB.exe
2009-03-25 20:26 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-03-03 21:26 66,872 a------- c:\windows\system32\PnkBstrA.exe
2009-03-02 13:16 591,296 a------- C:\WebmailPlugin.dll
2009-02-26 22:41 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-26 22:41 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-25 00:33 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-02-16 00:10 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-02-10 12:40 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-01-27 15:01 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 23:20:36.59 ===============

#2 Blade81


Posted 24 April 2009 - 06:00 PM


Sorry for delayed response. Forums have been really busy. If you still need help with this post a fresh dds log, please.

#3 Blade81


Posted 30 April 2009 - 06:02 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

